Circuit Rider
Version 4.4
By Jim Scheef

Uncle DACS needs you
I’m very pleased to say that someone stepped up to the plate and agreed to take on the job of DACS.doc Editor. If you are disappointed that you missed this opportunity, first, shame on you for not speaking up, and second, it’s never too late to help. We are still looking for at least one more person to run for DACS board. Being a director ranges from fun to frustrating. If you would like to help make DACS a better organization, we will welcome your ideas and help.

Digital Life Show
If you’re a computer game player and you didn’t go down to the Javits Center to see the Digital Life show, well, try to make it next year. I received a gratis invite to see the show on opening day. The reason for this was that Microsoft wanted industry people to watch a long presentation on Vista. Fortunately I was able to miss much of this. The part I did see about the Media Center Edition was interesting. The actual show was almost entirely for gamers–PC and Xbox gamers. One part of the show floor was a huge LAN party with about a hundred Alienware (now owned by Dell) PCs. Bordering this area was a platform for a rock band with many, many loud speakers and the largest flat-screen monitor I’ve ever seen. There were several strategically placed bars around the show floor. I was extremely glad I was there when I was because it would have been hell once the show opened to the public. If you’re coming to the conclusion that the show is oriented to young men 21-39, I think you’re right. The booth babes were getting ready as I left.

My reason for going to the show was to see the latest in home theater systems. There was none of this. I was also interested in home security and automation systems. I found two vendors. I was disappointed by the Digital Life Show, but I am not the target audience.

Microsoft and SCO
Remember the SCO suit against IBM and others over source code allegedly stolen from UNIX (which SCO says it owns) and used in Linux? The legal case is still in the U.S. District Court in Salt Lake City. The potential of a Microsoft connection to SCO could make the shenanigans at Hewlett-Packard look like an episode of Ozzie and Harriett. Basically, it seems that Microsoft said they would guarantee a $50M investment in SCO by BayStar, Inc. You can check this out at www.Linux-Watch. com. Searching on SCO will find the article. You just can’t make this stuff up!

In other Microsoft news, the software giant [the most congenial description I could find on the spur of the moment] has finally agreed to provide security software vendors with information on the kernel-level “hooks” needed to integrate anti-virus and similar security software into the Vista operating system. In the past these companies have been treated as partners and given early access to this API (application programming interface) information while new versions of Windows were still in development. Vista makes some major changes in how these APIs work in an effort to make the operating system more secure. Not using the kernel-level APIs would severely limit the functionality of security software. This time Microsoft withheld the information until the companies started to make really loud noises. What changed? Well, as Microsoft brings a product (Windows Live™ OneCare™) in this arena to market; suddenly Symantec, McAfee and the others are competitors! I thought Microsoft had learned what constituted monopolistic behavior. It’s amazing how utterly blatant they can be!

News from the SANS Institute
The fact that I get all these e-mail newsletters is probably a reason to question my sanity; however, four items in a recent issue of the SANS NewsBytes (Vol. 8, Num. 82, October 17, 2006) caught my eye. This newsletter is a compilation of news items gleaned from other sources. The first item is an appellate court decision regarding e-mail privacy rights. The decision from the Court of Appeals for the Armed Forces “ruled that Lance Corporal Jennifer Long of the US Marine Corps had a reasonable subjective expectation of privacy regarding e-mail stored on her government computer” and that the e-mails could not be admitted as evidence. This possibly precedence-setting decision was based on the fact that the Corporal had a password known only to her and the logon banner did not warn that such access was possible. The banner only “described access to monitor the computer system, not to engage in law enforcement intrusions by examining the contents of particular e-mails in a manner unrelated to maintenance of the e-mail system.” Even if this completely changes the rights of employers to access computers used by employees, my position remains that anyone who uses their work e-mail for personal business is a fool.

The next item was a report from the House Government Reform Committee that said that “there has been data loss from all government agencies.” This is news? Well it would be if there were not more scandalous items coming from Congress. The report continues that “many agencies could not say what data were lost, and many attributed the losses to government contractors. The number of data losses attributed to online attacks is quite low—most losses were due to lax physical security and lost or stolen computers and data storage devices.” And we thought all the problems were at the Veterans
Affairs Department, right? You just can’t make this stuff up! (Oh, I already said that.)

More good news from the Congressional Budget Office (CBO) which reported that someone breached one of their servers and obtained the e-mail addresses of their mailing list subscribers. CBO closed the hole that allowed the breach [I believe there is an analogy about a barn door], “but the thieves sent phishing e-mail purporting to come from CBO to the purloined addresses. Law enforcement officials have been notified of the incident and have begun an investigation.”

Last is an item about how McDonalds Japan gave about 10,000 people flash MP3 players as prizes. The devices included ten songs plus a software “bonus” in the form of a variant of the QQpass spyware Trojan horse program. When the devices were connected to a Windows PC, the Trojan horse exposed “passwords and other sensitive data” to attackers. Apparently an infected machine was used to load the content on the players. McDonalds Japan has apologized and established a helpline to help the “winners” disinfect their computers.

Normally the SANS Institute (www.sans.org), which does security training, is not this funny.

The Election
By the time you receive this, the election will be mere days away. Personally I’m more hopeful this year than I have been for the last several elections. Rather than tempt fate by making predictions, I will just ask that you vote your conscience. Next month we can discuss the results!

Jim Scheef is past president of DACS.